SNS 4.6.10 bug fixes

System

IPsec VPN

Support references 84572 - 84708 - 85270 - 85272

When the subject of a certificate from a trusted CA contains a non-ASCII encoded character, this no longer prevents the setup of IPsec tunnels based on this CA.

VPN - Verification of peer certificate revocation (CRL)

Support reference 82506

Deploying a VPN topology, on which the CRLRequired parameter is enabled, from an SMC server no longer overwrites the CA's certificate revocation list (CRL) on the SNS firewall.

IPsec VPN - IKEv1 - Certificate authentication and XAuth

Support reference 85283

During the setup of an IKEv1 IPsec tunnel with certificate authentication and XAuth, user groups are now correctly saved in the intrusion prevention engine's tables. Such groups can once again be used in filter rules. This regression appeared in SNS version 4.2.

Multi-user SSH authentication - SCP command

Support reference 84848

Accounts that have been declared as firewall administrators with the "Console (SSH)” permission can once again run the SCP command in SSH. This issue did not affect the "admin" account.

SNi40 industrial firewalls

Support reference 85078

On SNi40 firewalls with bypass configured in Safety mode, the bypass active mode could wrongly appear as Safety mode. This issue has been fixed.

SN-S-Series-320 and SN-M-Series-520 model firewalls

The maximum number of HTTP/FTP/SMTP/POP3 connections allowed on SN-S-Series-320 and SN-M-Series-520 model firewalls was wrong and will be fixed when the firewall is updated to version 4.6.10 or higher.

IPsec load balancing on CPUs - SN510, SN2000, SN2100 and SN3100 model firewalls

An issue with competing access in the IPsec encryption load balancing mechanism on CPUs has been fixed on SN510, SN2000, SN2100 and SN3100 model firewalls. Reminder: IPsec encryption load balancing can be configured using the CLI/Serverd command CONFIG IPSEC CRYPTOLB UPDATE.

8-port RJ45 module

Support references 82270 - 85269

When an unexpected freeze on the 8-port RJ45 network module is detected, the firewall will be automatically restarted to allow this module to reconnect to the network.

Proxies

Support references 85041 - 85048 - 85260 - 85286 - 85314

Proxies no longer freeze when an SSL decryption rule encounters certificates with the following characteristics:

  • Certificates with a blank Subject field,
  • Certificates signed by a certification authority that the proxy has not recognized as trusted (e.g., self-signed certificates).

And the action associated with the SSL protocol analysis of Unknown certificates is set to Delegate to user.

Support reference 85254

Issues with memory leaks on proxies have been fixed.

IPsec tunnel monitoring

Support reference 85318

In IPsec tunnel monitoring, an anomaly that caused tunnels set up with peers in Responder-only mode to appear as bypass policies has been fixed.

SSL VPN

The following can no longer be selected for the SSL VPN server:

  • A TCP listening port below 1024,
  • A UDP listening port below 1024, except UDP/443.

Intrusion prevention engine

ICMP request

Support references 84197 - 85387

On firewalls with:

  • A server behind a protected interface,

  • Two separate Internet access links.

Following a request from an unprotected network to the server, if the server did not listen on the requested port, type 3 ICMP packets that it sent would always take the default route. Packets now take the configured return route.

NTP protocol

Support reference 85077

Verifications of the NTP field reference_timestamp would wrongly raise a 451 alarm in the NTP plugin. As this verification was unnecessary, it has been removed.

High availability

Support reference 84766

During a switch in the cluster, an anomaly in the processing of some established TCP/UDP connections could cause the cluster to become unstable. This anomaly has been fixed.

Web administration interface

IPsec VPN

Support reference 85312

The presence of a space in the name of a mobile IPsec VPN configuration prevents the IPsec policy from reloading and makes it inoperational. The firewall's web administration interface and the CLI/Serverd command CONFIG IPSEC POLICY MOBILE UPDATE now prohibit spaces from being entered in the names of mobile IPSsec policies.

Support reference 85334

The names of IPsec VPN rules can no longer be deleted, as rules with a blank name field prevent the IPsec policy from fully reloading.

SMTP filtering

Support reference 85347

The web administration interface no longer wrongly prohibits the definition of several rules that reference the same sender for different recipients. This regression appeared in version 4.0.

High availability - monitoring

Support reference 85398

The versions of the firmware installed on the main and backup partitions of the passive cluster member are now correctly displayed.